Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Search For Exact Word

sajbutler
Path Finder
‎07-25-2012 10:54 PM

Hi

When I execute a search for "foo", I only want events that have the word foo and not events that have words like foo.bar or bar.foo.

Any suggestions?

SAJB

Tags (2)
Reply

Meharkant123
New Member
‎04-25-2018 03:13 AM

not workind both the command 😞
"\sfoo\s"
".\sfoo\s."

still getting foobar

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2018 09:11 AM

@Meharkant123 This thread is almost 6 years old. For better chances at a helpful response, please post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lguinn2
Legend
‎07-25-2012 11:47 PM

First, Splunk normally searches by words, not by characters. So "foosball" will always be eliminated, because there is no "word" foo.

"foo.bar" and "bar.foo" are trickier because you have to understand what defines a "word" in Splunk. Whitespace always delimits words, but internal punctuation may/may not. It depends on the segmentation. Inner segmentation says that punctuation delimits words, just like whitespace. Outer segmentation says that only whitespace delimits words. By default, Splunk indexes both ways, and calls it full segmentation.

So normally, when you search for "foo", you will get "foo.bar" and "bar.foo".

To take more control of how Splunk searches, use the regex command. It allows you to keep or eliminate events that match a regular expression. This will let you search with case sensitivity or by characters.

For example:

sourcetype=yoursourcetype foo
| regex _raw=".*\sfoo\s.*"

will match any event that has "foo" in it, where foo is not capitalized and is surrounded by white space.

Note that I also included foo in the initial search. Why? Well, it is more efficient to eliminate all the events that don't have foo anywhere in the event before you apply the regex. For other kinds of searches, that might not be helpful, though.

Reply

Ayn
Legend
‎07-26-2012 12:15 AM

Excellent answer. I'll just add that you could also omit the leading and trailing .* because Splunk will match on that implicitly anyway.

regex _raw="\sfoo\s"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...